Spring JCE / PKCS11

At work we have a need to integrate JCE with network crypto boxes. Turns out, with Spring, it's almost completely trivial.

If you're going to be using either a smart card or a network crypto provider, what you're likely to wind up with is a PKCS11 module for your platform. Sun provides for JCE a PKCS11 JCE Provider shim.

First, there is a very handy Spring idiom for adding providers to JCE at runtime. Here's how you can load BouncyCastle, for example, in a Spring application context as a throw-away bean (from this post at the SpringSource forums):

<bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
  <property name="staticMethod" value="java.security.Security.addProvider"/>
  <property name="arguments">
    <list>
      <bean class="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
    </list>
  </property>
</bean>

You can add the PKCS11 provider in almost exactly the same way. The only change is how you declare the actual provider bean within the <list>:

<bean class="sun.security.pkcs11.SunPKCS11">
  <constructor-arg>
    <bean class="PKCS11ConfigFactoryBean">
      <property name="modulePath" value="path/to/pkcs11/module"/>
    </bean>
  </constructor-arg>
</bean>

The PKCS11ConfigFactoryBean's job is to spit out an InputStream, which it creates from a mock configuration file that it creates from various properties. You can check the PKCS11 provider's documentation for the complete list of the contents of the config file, but at the very least, it has to contain a line that says "library=path/to/pkcs11/module". After filling a StringBuffer with the configuration options (don't forget to separate each line with \n), the getObject() method should return new ByteArrayInputStream(string.toBytes()).

Once you have the provider, you'll want to obtain a keystore. Your actual working code should be in the form of a bean that has a java.security.KeyStore property. You'll use the KeyStore to obtain the certificates and keys that are stored in the hardware. Spring provides the KeyStoreFactoryBean to fetch, load and initialize the keystore and plug it into your code. Just specify that you want a type "PKCS11" keystore and use the PIN as the password. You can then look up the certs and private keys and use them as normal. Of course, the PrivateKey object you get back won't actually be the key - calling getEncoded() on it, for example, won't work - it'll just be a sham object that provides a pointer to the actual key when it comes time to use it.

ATK Rice pudding

ATK has done it again. I modified the recipe a bit. It makes a bigger batch, but is just as tasty.

Rice Pudding

1½ cups medium grain rice
3 cups boiling water
1 tsp salt
1 cup sugar

3 cups cream
4 cups skim milk
or
3½ cups half-and-half
3½ cups whole milk

flavorings of your choice

combine rice, salt and water in a larger pot than you think you need. Bring to a boil, reduce to a simmer and cover for 15 minutes.

Add dairy and sugar, return to a boil and simmer for 30 minutes uncovered, stirring occasionally. After 30 minutes, continue to simmer for 15 more minutes, stirring more frequently to avoid scorching. Continue until the pudding can hold a wooden spoon standing straight up.

For flavorings, I like vanilla and cinnamon. There are a plethora of other options, including rose water, raisins, pistachio, walnuts, almonds.....

Nissan LEAF - just one thing missing

I just saw an ad on TV for the Nissan LEAF, which apparently is an EV car for 2010. It has a 100 mile range, which is respectable. I think my next car is very likely to be an electric car. And a 100 mile range is probably fine, but it means we'll never take the car on a long trip.

The solution, however, is the concept of the "pusher trailer." These typically are made from old Volkwagen Rabbits. They're front wheel drive cars, which means that everything behind the firewall can be removed and thrown away. You attach a trailer hitch to the front, lock the steering, provide remote control for the throttle, etc and you're done.

With a pusher, an EV becomes a hybrid. They generally can run in a few modes:

1. The pusher can be off and in neutral for city driving.
2. The pusher can be pushing and the EV can be in neutral. This preserves the battery of the EV, and maximizes the fuel economy of the pusher.
3. The pusher can be pushing and the EV can be in drive and coasting. In this mode, the regenerative braking of the EV charges the battery with some of the energy delivered by the pusher.

Now, hackers have achieved this, so there's no reason at all that manufacturers couldn't make pusher trailers for EVs. In fact, if they were available for rent, there's no reason I'd want to buy one. If I was able to rent a pusher for taking a long trip, everybody would win:

1. I'd get to take a long trip without worrying about the batteries.
2. Whoever rents them would be able to maintain them properly, which is good for the environment.
3. I'd do the vast majority of my driving on pure electricity, which is good for both the environment and my pocketbook.
4. As fuel cell technology improves, I can foresee the pusher trailers eventually being replaced by fuel cell generators that would just plug into the car and keep the batteries topped up over a long trip.

The auto manufacturers could, in fact, create a standard for a pusher trailer interconnection with an EV. Making it different from a traditional trailer hitch would have some advantages, in fact, since it's fairly clear that the manufacturers wouldn't want to encourage folks to attempt to tow trailers with EVs (their range is short enough without adding more weight to them). Plus, there needs to be additional control signaling from the cab to the trailer. Finally, the software running the EV, were it aware of the potential availability of a pusher trailer, would no doubt make better battery management decisions when it detected one was hooked up.

The biggest problem I see with this concept being productized is not, in fact, technological at all. It's regulatory. One hacker can lop the ass-end off a VW rabbit, call it a trailer, and probably get it licensed as such simply because the DMV staff won't know how it could be anything else. But that doesn't really fly when a manufacturer tries to make n dozen thousand of them and sell them. Moreover, they would need to be able to say with a straight face that pusher trailers are safe. That means all sorts of testing and on and on and on.

Still, the concept is just too good for it not to be considered. The big question is, who will be the first auto manufacturer brave enough to embrace the concept and lead the effort to bring it to fruition?

Seriously, there's nothing better they can do with their time?

News comes to us via the MurkySnooz that the state assembly has declared next week a no cussing week.

Fuck that bullshit!

Hey Scott...

Here's a clue for Scotty Lago:

Dude! If it was a gold medal, then maybe I'd say you could dangle it from your johnson for the chicks. But you do it with the bronze and you're just going to get bitch-slapped by the guys with silver and gold.

Note to self...

Next time you're at the grocery store, and you see someone with WIC checks...



Move immediately to a new line. Doesn't matter if you're next. You'll still get out of the store faster by starting over at the end of another line.

Just sayin'.

Import private key into java keystore - an easier way

If you ask google how you import a private key into a Java keystore file, the answers you get back all have source code for opening a DER file, reading it in and writing a keystore file programatically.

That works, but I've discovered a much, much easier way.

The -storetype argument to keytool allows you to translate key material. In fact, jarsigner can take the argument -storetype pkcs12, meaning you don't need to keep your signing key in a JCE keystore at all. But I digress.

If you can make a pkcs12 file with your private key and certificate - which should be easy with openssl's pkcs12 command - then you can use the following command to turn that into a java keystore:

keytool -importkeystore -srckeystore file.p12 -srcstoretype pkcs12 -destkeystore file.jceks -deststoretype JCEKS

I have climbed the mountain

When Sir Edmund Hillary reached the summit of Mt. Everest, he closed the books on the record for the highest altitude a mountain climber could achieve. The only thing anyone could ever do from then on was tie.

And thus it is with me today. I have climbed the mountain.

There is no worse beat possible in Hold'Em. You cannot be in a worse situation than having exactly two cards in the deck that save you - and needing them both to come out on the turn and river (obviously not counting drawing dead).

My luck being what it is, I am, of course, on the losing end. So yet another achievement for my badge list, to go along with losing with a straight flush and catching under-quads.

Full Tilt No-Limit Hold'em, 6.25 Tournament, 20/40 Blinds (2 handed) - Full-Tilt Converter Tool from FlopTurnRiver.com

Hero (BB) (t2173)
SB (t827)

Hero's M: 36.22

Preflop: Hero is BB with 9♦, 9♣
SB calls t20, Hero bets t120, SB calls t80

Flop: (t240) 4♣, 9♠, 6♠ (2 players)
Hero checks, SB bets t707 (All-In), Hero calls t707

Turn: (t1654) 6♥ (2 players, 1 all-in)

River: (t1654) 6♦ (2 players, 1 all-in)

Total pot: t1654


Results:
SB had 6♣, Q♥ (four of a kind, sixes).
Hero had 9♦, 9♣ (full house, nines over sixes).
Outcome: SB won t1654

He went on to win the tournament - I got it in with top set again, but this time was fucked over by a mere flush draw.

Adventures in bad marketing

Saw this ad on the side of a Samtrans bus today:



Now, I can't read Hindi, but I can't possibly imagine what this text might say that would be a reasonable attempt to market beef to Hindus.

Either that, or McDonald's is implying that there is no beef on their dollar menu (never mind there is a prominent picture of a double-cheeseburger in the ad). This is, in fact, the case in India - the McDonalds' there serve mostly chicken sandwiches, I am told. But this is Redwood City, not New Delhi.

Either way, it seems like dumb marketing to me.

Ancient firmware updates

It's not every day that you set out to upgrade the firmware of a 10+ year old device.

One of the oldest pieces of gear still operational at our house is the fax modem out in the garage. It waits patiently for the phone to ring and receives faxes. Most of them are for Scarlet. The few that aren't are junk. But every once in a while sending an image of a signature or form or some such is necessary, and e-mailing a PDF won't work, so it's nice to have the option to use the old methods.

I was poking around the Internet looking for something else, when I managed to wander down the path towards US Robotics, which was bought some time ago by 3Com. In fact, they still have a USR website, including a support section for a lot of their obsolete products. I was able to root around and find my model of Courier V.Everything. I bought it sometime in, oh, 1997 or 1998 or so. I don't remember.

I opened up the serial port and did a ATI7 and, in fact, it informed me that the firmware was out-of-date, and that they had a DOS based updater for it. Ew. Well, I read a little further, and believe it or not, they had a mechanism for updating the firmware for folks running without DOS/Windows. If you send AT~X! to the modem, it starts doing an XMODEM receive for a firmware update. How convenient! Well, I was using kermit as a modem terminal program, but shelling out from kermit's command mode allowed me to use the lrzsz package from the ports tree to send the firmware. And it was done.

I'm not sure if the update did a lot. The same set of AT commands appears to be present. Hopefully it might have a positive impact on the fax reliability. I don't really use the modem for anything else.

Chocolate Chip Cookies, the final word

My favorite two cooking shows are America's Test Kitchen and Good Eats. I love them both because they really take a proper scientifically educational tack. What I mean by that is that they do more than tell you how to do something, but they show you why you should take their advice. They both do this by taking a dish we all know, and may not be entirely fond of, and prepare it, all the while explaining why they do it the way they do.

It's particularly interesting when both shows cover the same topic, as they recently (or in the case of Good Eats, not so recently) did for one of the quintessentially american dessert recipes of all times: The Chocolate Chip (aka Toll House) cookie. This recipe was made famous by the Nestlé company, which printed the recipe on the back of every bag of chocolate chips they've sold since the end of the pleistocene.

I grew up with these cookies. My mother used to bake them and mail them to me in care packages when I was at summer camp. And they were good. But I never had particularly high standards for them.

What changed my mind was the Good Eats episode, "Three Chips for Sister Marsha," where he took the original recipe and demonstrated how to tweak the recipe to send it in three different directions, resulting in caky cookies, thin crispy cookies, or - my favorite - chewy cookies.

I've been making Alton's Chewy recipe for years now, with great success. Until a few days ago, I figured it was the last word on the subject. But I just watched the latest episode of ATK, called "The Cookie Jar," where they made chewy toll house cookies.

So now we have my two favorite cooking authorities weighing in on the same subject. Let's compare and contrast.

Alton specified bread flour, ATK was content with AP. Alton used the customary 2 and 1/4 cups, ATK reduced it to a cup and 3/4.
Alton replaced the 2nd egg white with 2 tbsp of milk. ATK simply omitted it.
ATK doubled the vanilla quotient. Alton left that alone.
While Alton melted the butter, ATK went to the extra trouble of actually browning it.
ATK used 14 oz of butter - 10 browned and 4 added whole to cool - Alton stuck with 16 (two sticks).
ATK used 3/4 cup of brown sugar and half a cup of white. Alton used 1 and 1/4 cups of brown and 1/4 cup of white.
ATK used 1/2 tsp of baking soda, Alton stuck with 1 tsp.

Rather than go to the ATK website and print out the recipe or try to use the pause button and get the ingredients, I decided to simply use the same Alton "chewy" recipe I've been using all along, but to brown 3/4 of the butter first, cooling it with the remaining butter before combining the result with the sugar. I also let them cool on the pan (as ATK suggested) rather than moving them straight to a plate to cool.

The other ATK recommendation concerned the chips. They recommended Ghirardelli bitter-sweet chips, rather than the Netslé milk chocolate chips I usually buy.

So how did they turn out?

I'm very happy with them. I actually think that the change to the bittersweet chips made the biggest difference. The cookies have a powerful chocolate flavor that they never really had before. Cooling them on the pan crisped up the bottoms, giving them a sort of half crunch, half chew consistency that is nice. I think the chocolate flavor of the chips overwhelms whatever other differences there may have been in the batter, but Scarlet disagrees with me there - perhaps my palate isn't discriminating enough.

Setting up the Netgear MBR624GU 3G router

I went through the setup process for the MBR624GU taking screenshots as I went. You'll want to click on each one to be able to actually read them.

Here's the process.

1. Connect up to the router and open up a browser. Go to http://routerlogin.com/ . You'll actually be redirected into the router (this is a magic domain Netgear has setup for this purpose). If it doesn't start the wizard automatically, click on 'Setup Wizard' in the left frame.



2. If the firmware is not the latest one (as of this writing, it's what is shown in the screenshot), then disconnect from the router, go fetch the latest firmware from Netgear and come back to this page. Click the 'upgrade' button, supply the firmware to the router, let it reboot and start over.

Otherwise, click 'next'.



3. Wait



4. Enter 'ISPDA@CINGULARGPRS.COM' in the username field and 'CINGULAR1' in the password field. Click 'next'.



5. Wait



6. Wait



7. Enter a name for your WiFi network. Click 'next'



8. Unless you feel like suicide by phone bill, click 'yes'.



9. Unless your computer doesn't support it, you should pick the WPA-PSK + WPA2-PSK option.



10. Enter in a fairly lengthy, mixed case passphrase for your WiFi network. You'll need to enter this in once in order to connect your computer to the new network being created, but your computer should remember it. Of course, anyone else who you invite to connect will also need to type it in, so it should be easy for you to either remember or look up.



11. At this point, you're done.

SMS over IP?

One answer for improving cell phone coverage is to leverage local internet connectivity and use VoIP. T-Mobile had phones a while ago that had that as a feature. AT&T and Verizon's answer to this is microcells, which provide regular cell phone connectivity with the Internet as a backhaul. Of course, AT&T's microcell isn't available yet in most places. Adding the ability for phones to fall back to WiFi for phone calls is complex because of the relatively demanding requirements of full duplex voice conversations.

Most providers have a web page that can be used to at least send SMS messages.

I bet most of you are now way ahead of me.

It would be far, far easier to provide for SMS messaging over IP, because there are no demands for low latency or jitter. It would be simple for a phone to make a secure connection over an Internet connection provisioned with WiFi and use that connection to send SMS messages and poll for message delivery.

The carriers could even sweeten the deal by not charging for SMS messages sent over WiFi. Of course, given the obscene profits the carriers are making with SMS, the prospects of that actually happening are dim.

iPad

Ok. I've seen the video.

The iPad represents the arrival of the viewscreen technology portrayed in 2001: A Space Odyssey. Specifically, the scene where Bowman and Poole were watching themselves being interviewed on a BBC chat show. The devices they were watching look far more like iPads than any other device that has come along so far.

I can see the iPad serving one particular role for me, personally.

Right now, I use a macbook as an alarm clock. A cron job spawns Pulsar to play Squizz Octane.

There's no reason in the world that this job couldn't be done by a lesser device. Hell, there's no reason in the world that this couldn't be done with an iPod Touch. XM needs to make it possible for their app to automatically start playing your favorite channel when it is launched, and Apple needs to add the ability for the alarm clock to launch an app at a particular time.

Alas, until those two features exist, I have no choice but to keep using a laptop. Because it is an open platform. I have access to cron. cron may or may not be running on the iPhone / iPod Touch / iPad OS variant, but I'll never know because it's not accessible in any meaningful way. And because Apple has such control over the platform, all I can do is patiently wait for them to do what I want them to do (if they ever do).

The closed platform has advantages. There's no malware, for instance. But the flip side of that coin is that there is no Full Tilt client for the platform. Not because Apple would have anything against online poker, per se, but because of the legal quagmire surrounding online poker, there's no way that Apple could approve an app to be in the store without getting dragged into legal hot water. And since there's no other (reasonable) way to get software onto the device, that's the end of it.

I don't mind a closed platform for my phone. The advantages in terms of making the device both resilient and safe far outweigh the limitations. But once we're not talking about a phone, I think the disadvantages of the closed platform loom too large to be ignored.

Happy Birthday to me... times a thousand

So it's interesting how sometimes technology can lead in unexpected directions.

The authors of phpBB included a spot on their account creation form for you to put your birthday in. This is, more or less, required by federal rules about websites tracking minors and stuff. They decided it would be fun to use that information, since they have it handy, and send you an e-mail wishing you happy birthday.

It's a nice thought.

This morning I opened my e-mail and had 24 of them. Almost all of them worded exactly the same. A bit of a Sorcerer's Apprentice broomstick pailfull of birthday cheer. It gave me a bit of a chuckle. At least now I know how many phpBB forum accounts I've managed to create over time.

I guess if there's a lesson here, it's to check the default settings in any software you install - particularly any software that automatically generates e-mail.

Now THIS movie, I'd go see...

I'm glad to see Tom Hanks branching out.

Avatar, IMAX 3D

Scarlet and I saw Avatar this evening. We went all-out and saw it at the IMAX theter at the AMC multiplex at Cupertino Square.

I was under the misinformed impression that IMAX movies were shown on domed theaters. This theater was just like any other theater I've been in in the last year. I thought perhaps the screen was a bit bigger, and the aspect ratio looked to me to be more square.

As for the 3D part, that doesn't really do anything for me, because my left eye doesn't really work. I've always had trouble with 3D movies. 3D movies are universally designed to present slightly different images to each eye. The first such systems attempted to do this with red and green colored gels, and systems in the 80s and 90s used LCD light shutters to present alternating frames to each eye. Both of those systems really sucked for me. The colored lenses wound up giving me nothing but green, and the alternating frames just halve the frame rate, effectively, which just introduced unacceptable levels of flicker.

Invariably, whatever glasses they hand out for such presentations are required, otherwise your eyes see both images, which results in horizontal blurring.

Well, I'm happy to say that for the first time, I was able to watch a 3D movie without any of the problems I've had in the past. The new systems use simultaneous projection of light with different polarization. So long as I kept the glasses on, it looked, well, just like any other movie does. Occasionally, the polarization didn't exactly meet up and I saw a faint ghost of the view for the other eye, but if I adjusted my head slightly, I could minimize it.

Meanwhile, Scarlet said that the 3D effects in the movie were amazing. She felt like things were flying towards her, like she could have caught them. I was a little envious. But it's a little like listening to tetrachromats describe what they see. If you don't see what they see, it can't really be properly described.

The movie was good. It can, however, be rather fairly described as Pocahantas meets Halo.